Penetration testing of quantum key distribution system as a black box

Abstract Quantum key distribution (QKD) establishes a shared secret between remote parties and is proven unbreakable in theory. Unfortunately, practical implementations of QKD have device imperfections leading to security vulnerabilities. Most of these have been verified in a white-box testing scenario, when one has access to the system hardware for its analysis. Here we implement an automated penetration testing on a QKD system as a black box, using only its public communication lines and limited operator’s manual. Our implementation parses information transmitted in the classical communication line and toggles an optical delay in the quantum communication line. This allows it to tamper with timing settings of detector gates in the QKD system during its calibration procedure and passively eavesdrop 98.97% of the sifted key. The entire testing is fully automated and takes minutes to begin the eavesdropping. Our work paves the way for automated penetration testing of QKD installations as security verification.